System Restore archiving sandbox files?

Hi all,

I posted on this earlier, but I have new information that redirects the questions. If I am meant to edit the old question instead of post a new one, please inform me so that I may do that in the future.

Zonealarm picked up a virus in my system restore data the other day called Virus.DOS.horse. Quarantined it and all was well. However, I am baffled as to how it got in there. I am careful with my browsing and downloading, I keep ForceField browser virtualization on at all times, and ZoneAlarm never alerted me previously to any infected files, even after scheduled scans. My only theory is that a temporary file from some internet-based program got infected and archived. Now, I've heard that some virtualization programs can archive sandbox data in system restore, and perhaps a sandbox infect-me decoy file from ForceField got archived somehow. Anyone know anything about this, or how to stop it? I haven't cleared my virtual data in some time. Not too worried as restore is an archive and viruses cannot run out of it unless a restore point is restored. It's just rattling anxiously around in my brain until I can get an answer.

Secondly, I'm baffled as to how this file was brought to my attention. I had no scans scheduled for that day, and viruses cannot run out of restore, so on-access scanning is out. I did leave the computer idle for roughly ten minutes after starting it up, and my scheduled scans do get backed up as I don't use that computer too often, so it could have done a quick scan and picked it up, although I didn't know that quick scan scanned the restore files. Is there some background monitoring that could have picked it up even though it wasn't accessed? I'm using Zonealarm Extreme Security.

Anyone have any alternative explanations for these questions? Anyone have any info on this virus?

Re: System Restore archiving sandbox files?

I'll remove the restore points the next time I boot up that computer. It's an old computer of mine and not at home, so I'll have to do it when I get time at work, where it is.

I haven't had any problems, per se. Is it necessary to do the scan even if a regular super-scan picks up nothing? I would assume that ZL would pick up on virus-like behavior and alert the user even if it couldn't automatically stop or clean it.

Re: System Restore archiving sandbox files?

In case of infection (or possible malware presence) its always better to cross-check that your system is clean. Once scan of ZA is enough, but you shuould also use other free available malware tools. This is just for peace of mind. Again the malware cleanup guideline details the process.

Re: System Restore archiving sandbox files?

Just for clarification, a super scan in regular mode would still pick up any viruses, but they may only be able to be removed in safe mode?

Also, I backed up some files from that computer after ZL quarantined the virus; pictures, documents and savegames mostly. I then took them home on a Lacie drive and scanned them, while still on the drive, with both ZL Extreme Security and McAffee Security Center, on different computers. Both scans found nothing. Does this mean they're clean. Can viruses elude security programs this well. I never knew viruses to be that subtle.

Re: System Restore archiving sandbox files?

Thanks. I'm pretty sure I'm clean, but I'll run the additional scan just to be sure.

I highly doubt that there's anything in the files I backed up. Considering all the scans I did, and the fact that ZL picked up the original virus so easily, and the fact that all of these backed-up files are on my main terabyte drive on my main PC as well, as a backup for the backup, and there are no problems on this PC, aaaand the nature of the files themselves, (excuse the run on sentance) I'm confident that they are not infected. Something would have given me some warning, even if they weren't cleanable.